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1 Introduction 


This research is directed towards the implementation of a comprehensive 
deductive-algorithmic environment (toolkit) for the development and verifi- 
cation of high assurance reactive systems, especially concurrent, real-time, 
and hybrid systems. For this, we have designed and implemented the STeP 
(Stanford Temporal Prover) verification system. 

Reactive systems have an ongoing interaction with their environment, 
and their computations are infinite sequences of states. A large number 
of systems can be seen as reactive systems, including hardware, concurrent 
programs, network protocols, and embedded systems. Temporal logic pro- 
vides a convenient language for expressing properties of reactive systems. A 
temporal verification methodology provides procedures for proving that a 
given system satisfies a given temporal property. 

The research covered necessary theoretical foundations as well as imple- 
mentation and application issues. We summarize the theoretical results in 
Section 2, and then describe, in more detail, the implementation and tools 
that we developed in Section 3. 

Reactive, Real-time and Hybrid Systems 

We say that a system is infinite-state if its computations can reach infinitely 
many distinct states. Such systems contain variables that range over un- 
bounded domains. Most software can be classified as infinite-state, since 
data structures such as integers, lists and trees are best thought of as un- 
bounded. Hardware systems, on the other hand, are finite-state, since they 
can be in only finitely many distinct states; the state depends only on a fixed 
number of bits. Note that computations of finite-state systems are still in- 
finite sequences of states — it is the number of such distinct states that is 
finite. While model checking tools can often automatically verify properties 
of finite-state systems, deductive tools allow verifying infinite-state systems 
as well, with some user interaction. 

Another class of systems to be verified is introduced by parameterization. 
A parameterized system has an arbitrary number of replicated components; 
for instance, nodes in a network protocol, or processors and buses in a 
multiprocessor architecture. Deductive formalisms provide a natural way of 
verifying the general correctness of parameterized systems, for an arbitrary 
number of processes. 

More dimensions of infinity are introduced when considering real-time 
systems, where time advances continuously and the time elapsed between 
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Figure 1: Scope of STeP 

events can be measured. A further extension is given by hijbrid systems , 
where continuous variables evolve over time as determined by differential 
equations. 

The various systems STeP can verify differ in their time model — discrete, 
real-time, or hybrid — as well as in the domain of their state variables, which 
can be finite or infinite. Furthermore, systems can be parameterized in the 
number of processes that compose them (iV-process systems). All of these 
systems can be modeled, however, using the same underlying computational 
model: (fair) transition systems [MP95]. This basic model is extended in 
appropriate ways to allow for modular structures, hardware-specific compo- 
nents, clocks, or continuous variables. Figure 1 describes the scope of STeP, 
classified along these three main dimensions. 
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2 Theoretical Foundations 

2.1 System Representation: Transition Systems 

The basic system representation in STeP uses a set of transitions. Each tran- 
sition is a relation over unprimed and primed system variables, expressing 
the values of the system variables at the current and next state. Transitions 
can thus be represented as general first-order formulas, though more spe- 
cialized notations for guarded commands and assignments is also available. 
In the discrete case, transitions can be labeled as just or compassionate ; 
such fairness constraints are relevant to the proof of progress properties (see 
[MP95]). 

SPL Programs: For convenience, discrete systems can be described in the 
Simple Programming Language (SPL) of [MP95]. SPL programs are auto- 
matically translated into the corresponding fair transition systems, which 
are then used as the basis for verification. 

Real-Time Systems: STeP can verify properties of real-time systems, us- 
ing the computational model of clocked transition systems [MP96]. Clocked 
transition systems consist of standard instantaneous transitions that can re- 
set auxiliary clocks, and a progress condition that limits the time that the 
system can stay in a particular discrete state. Clocked transition systems are 
converted into discrete transition systems by including a tick transition that 
advances time, constrained by the progress condition. The tick transition is 
parameterized by a positive real-valued duration of the time step. 

Hybrid Systems: Hybrid transition systems generalize clocked transition 
systems, by allowing real- valued variables other than clocks to vary contin- 
uously over time. The evolution of continuous variables is described by a 
set of constraints, which can be in the form of sets of differential equations 
or differential inclusions. Similar to clocked transition systems, hybrid tran- 
sition systems are converted into discrete transition systems by including a 
tick transition, parameterized by the duration of the time step. However, 
for hybrid systems the tick transition must not only update the values of 
the clocks, which is straightforward, but must also determine the value of 
the continuous variables at the end of the time step. The updated value of 
the continuous variables is represented symbolically; axioms and invariants, 
generated based on the constraints, are used to determine the actual value 
or the range of values at the time they are needed. 

Other formalisms such as timed transition systems, timed automata and 
hybrid automata can be easily translated into hybrid and clocked transition 


5 



systems [MP96]. 

Modularity: Complex systems are built from smaller components. Most 
modern programming languages and hardware description languages there- 
fore provide the concept of modularity. STeP includes facilities for modular 
specification and verification [FMS98], based on modular transition systems , 
which can concisely describe complex transition systems. Each module has 
an interface that determines the observability of module variables and tran- 
sitions. The interface may also include an environment assumption, a rela- 
tion over primed and unprimed interface variables that limits the possible 
environments the module can be placed in. The module can only be com- 
posed with other modules that satisfy the environment assumption. Com- 
munication between a module and its environment can be asynchronous, 
through shared variables, and synchronous, through synchronization of la- 
beled transitions. 

More complex modules can be constructed from simpler ones by pos- 
sibly recursive module expressions, allowing the description of hierarchical 
systems of unbounded depth. Module expressions can refer to modules de- 
fined earlier, or instances of parameterized modules, enabling the reuse of 
code and of properties proven about these modules. Besides the usual hid- 
ing and renaming operations, the language provides a construct to augment 
the interface with new variables that provide a summary value of multiple 
variables within the module. Symmetrically, a restriction operation allows 
the module environment to combine or rearrange the variables it presents 
to the module. 

Real-time and hybrid systems can also be described as modular systems; 
discrete, real-time and hybrid modules may be combined into one system. 
The evolution constraints of hybrid modules may refer to continuous vari- 
ables of other modules, thus enabling the decomposition of systems into 
smaller modules. To enable proofs of nontrivial properties over such mod- 
ules, we allow arbitrary constraints on these external continuous variables 
in the environment assumption. 

2.2 Property Specification: Temporal Logic 

We use linear-time temporal logic (LTL) as our property specification lan- 
guage. Formulas of LTL describe sets of infinite sequences of states. We 
say that a system S satisfies a temporal property <p, written S (= <p, if every 
computation of S satisfies <p. 

The temporal logic is defined relative to an assertion language, which is 
used to characterize sets of states. For this, we use the full expressive power 
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of first-order logic, including both interpreted function symbols and pred- 
icates. This logic is supported by the corresponding automated deductive 
(theorem-proving) tools. 

The system models of clocked and hybrid transition systems (see above) 
do not require any extension to the property specification language; the 
global clock is a system variable that can be directly referenced in temporal 
specifications. The assertion language can describe constraints on the clocks 
and, in the case of hybrid systems, other continuous variables. 

2.3 Deductive Verification 

The deductive methods of STeP verify temporal properties of systems by 
means of verification rules and verification diagrams. Verification rules re- 
duce temporal properties of systems to first-order verification conditions 
[MP95]. Verification diagrams [MP94] provide a visual language for guid- 
ing, organizing, and displaying proofs, and automatically generating the 
appropriate verification conditions as well (see Section 3.3). 

Since clocked and hybrid transition systems are converted into fair tran- 
sition systems, verification rules and diagrams are uniformly applicable to 
discrete, real-time and hybrid systems. However, due to the parameteriza- 
tion of the tick transition, the resulting verification conditions for real-time 
and hybrid systems are usually more complex than those for (unparameter- 
ized) discrete systems. 

2.4 Deductive- Algorithmic Verification 

Algorithmic methods such as model checking can automatically verify tem- 
poral properties of reactive systems, but are restricted to finite-state systems 
(or very specialized classes of infinite-state ones). We have developed a num- 
ber of formalisms that combine deductive methods and algorithmic methods 
to verify, more automatically, general infinite-state systems, and extending 
the expressiveness of model checking tools. 

2.4.1 Deductive Model Checking 

Deductive model checking [SUM99] allows the interactive model checking 
of infinite-state systems. Standard explicit-state model checking searches 
the product of system’s state-space and the tableau (automaton) for the 
negation of the temporal property being verified, in the search for a coun- 
terexample computation. Deductive model checking transforms a diagram 
that abstracts this product, called a falsification diagram , starting with a 
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general skeleton of the product graph and refining it until a counterexample 
is found, or the impossibility of such a counterexample is demonstrated. 

The deductive model checking (DMC) procedure starts with an initial 
falsification diagram that embeds all models of the negation of the property. 
Transformations are then applied, producing a sequence of falsification dia- 
grams. Each transformation preserves the computations of the system that 
are embedded in the diagram, guaranteeing that each falsification diagram 
includes all system computations that violate the property. If we obtain a 
diagram that does not embed any computation, then the system satisfies 
the property. 

In the general infinite-state case, the deductive model checking procedure 
will be interactive, and is not guaranteed to terminate. In the finite-state 
case, it can be used as a decision procedure for establishing temporal prop- 
erties, as done by standard model checking. However, the entire state-space 
does not always have to be explored in this case. 

2.4.2 Generalized Verification Diagrams 

Verification Diagrams provide a graphical representation of a deductive 
proof, summarizing the necessary verification conditions, and are therefore 
easier to construct and understand. Generalized Verification Diagrams ex- 
tend them to be applicable to arbitrary temporal properties, replacing the 
well-formedness check on the diagram by a finite-state model checking step. 
They are a complete proof method for general (state-quantified) temporal 
formulas, relative to the reasoning required to establish verification condi- 
tions. 

The diagrams of [BMS95] use Street acceptance conditions. In [MBSU98, 
Sip98], we present an alternative description of generalized verification di- 
agrams based on Muller acceptance conditions, which are less concise but 
more intuitive to the user. 

The thesis [Sip98] presents diagram-based formalisms to verify temporal 
properties of reactive system. Generalized verification diagrams represent 
the temporal structure of the program as relevant to the property they prove. 
The deductive component of a verification diagram defines a set of first-order 
verification conditions that, when proven valid, show that all behaviors of 
the system are embedded in the diagram. The algorithmic component is 
an automata-theoretic language inclusion check that determines whether all 
behaviors of the diagram satisfy the property. 

We show how these methods can be used to verify not only discrete sys- 
tems, but real-time and hybrid systems as well. We also present two special- 
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ized classes of diagrams for these systems: nonzenoness diagrams represent 
a proof that a real-time or hybrid system is time-divergent, that is, all be- 
haviors of the system can be extended into behaviors in which time grows 
beyond any bound. Receptiveness diagrams prove a related property of real- 
time and hybrid modules that implies time divergence and is preserved by 
parallel composition. 

2.4.3 Abstraction 

In [CU98], we present an algorithm that uses decision procedures to generate 
finite-state abstractions of possibly infinite-state systems. The algorithm 
compositionally abstracts the transitions of the system, relative to a given, 
fixed set of assertions. Thus, the number of validity checks is proportional 
to the size of the system description, rather than the size of the abstract 
state-space. The generated abstractions are weakly preserving for VCTL* 
temporal properties, including LTL. 

The thesis [Uri98] presents an abstraction-based framework for verifying 
temporal properties of reactive systems, to allow more automatic verifica- 
tion of general infinite-state systems and the verification of larger finite- 
state ones. Underlying these deductive-algorithmic methods is the theory 
of property-preserving assertion-based abstractions , where a finite-state ab- 
straction of the system is deductively justified and algorithmically model 
checked. 

3 Implementation: STeP 

The Stanford Temporal Prover (STeP) is a tool for the computer-aided for- 
mal verification of reactive systems, including real-time and hybrid systems, 
based on their temporal specification. STeP integrates model checking and 
deductive methods to allow the verification of a broad class of systems, 
including parameterized (TV-component) circuit designs, parameterized (TV- 
process) programs, and programs with infinite data domains. 

Figure 2 presents an outline of the STeP system. The main inputs are 
a reactive system and a property to be proven for it, expressed as a tem- 
poral logic formula. The system can be a hardware or software description, 
and include real-time and hybrid components. Verification is performed by 
model checking or deductive means or a combination of the two. 
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Hardware Discrete Real-Time Hybrid 



Figure 2: An outline of the STeP system 

3.1 User Interface 

STeP 2.0 has a graphical user interface implemented in Java. The deductive 
verification and theorem-proving components of STeP are implemented in 
Standard ML of New Jersey, while the model checking tools are implemented 
in C, for added efficiency. The ML component of STeP can also access 
external OBDD libraries implemented in C. 

STeP provides a comprehensive, integrated environment to prove tempo- 
ral properties over reactive systems. The STeP Session Editor, presented in 
Figure 3, keeps track of the main properties of interest throughout the verifi- 
cation session, including axioms, assumptions, previously proven properties, 
and automatically generated invariants, as well as the module to which each 
applies. Thus, it can handle multiple systems and proofs simultaneously. 
Properties can be activated or deactivated to control the extent of their use 
in automatic theorem-proving. 

Figure 4 shows the STeP Proof Editor, which is used to apply the basic 
deductive temporal verification rules as well as the Gentzen-style interactive 
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Figure 3: STeP Session Editor 


theorem proving rules. In a typical deductive verification effort, the top-level 
goal is a temporal formula to be proven valid for a given system. Verification 
rules or diagrams are used to generate verification conditions, as subgoals, 
which together imply the system validity of the original temporal property. 
These subgoals are then established automatically using decision procedures 
(Section 3.6) or interactively using the Gentzen-style rules. Model checking 
is also initiated by the Proof Editor. 

3.2 Model Checking 

STeP features automatic explicit-state and symbolic model checking for 
linear-time temporal logic. The explicit-state model checker performs an 
incremental (depth-first) search of the state-space, directed by the tempo- 
ral tableau (automaton) for the negated specification. Thus, only those 
states that can potentially violate the specification are visited. This enables 
the use of the explicit-state model checker on some infinite-state systems, 
though it is not guaranteed to terminate for these systems. The symbolic 
model checker uses a breadth-first search through sets of states represented 
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Figure 4: STeP Proof Editor 


by ordered binary decision diagrams (OBDDs). Thus, it is limited to finite- 
state systems, whose variables range over a fixed, finite number of values. 

When transitions can be expressed as guarded commands (i.e., the sys- 
tem is a set of deterministic actions), symbolic model checking is optimized 
using techniques for computing predecessor states without computing the 
entire transition relation. A specialized backwards search for proving invari- 
ants is also available. The set of states visited in the backwards search is 
constrained by auxiliary invariants, which may have been formulated and 
verified before, or generated automatically. 

The symbolic and explicit-state model checkers complement each other. 
Although limited to finite-state systems, the symbolic model checker can be 
considerably more efficient, particularly when the state-space is large and 
the transition relation and fixed points are amenable to representation by 
OBDD’s. On the other hand, the explicit-state model checker is often faster 
on systems with relatively few reachable states. 

3.3 Generalized Verification Diagrams 

Generalized verification diagrams [BMS95, MBSU98] are an extension of 
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Figure 5: STeP Diagram Editor 

verification diagrams that allow the verification of arbitrary temporal prop- 
erties. Diagrams can be seen as intermediaries between the system and 
the property to be proven. A set of verification conditions is proved, de- 
ductively, to show that the diagram faithfully represents computations of 
the system. An algorithmic check then establishes that the diagram corre- 
sponds to the formula being proved. Together, these two stages show that 
all computations of the system are models of the temporal property. 

The STeP Diagram Editor, shown in Figure 5, allows the user to draw a 
diagram and then prove, using the Proof Editor, the associated verification 
conditions. In STeP 2.0, the Diagram Editor and the Proof Editor are more 
tightly coupled, to facilitate the incremental development of diagrams. The 
user can draw an initial version and try to prove the associated verification 
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conditions. If they fail, the user can make local corrections to the diagram 
(or discover something wrong with the system) and attempt the proof again. 

The verification conditions are local to the diagram; failed verification 
conditions point to missing edges or nodes, weak assertions, or possible bugs 
in the system. Since local changes to a diagram do not affect the verification 
conditions elsewhere, much of the work from the previous iteration can be 
saved. Using feedback from the Proof Editor, the Diagram Editor can high- 
light proved and unproved edges and nodes in the diagram, helping the user 
correct the diagram. A change to the diagram automatically invalidates the 
verification conditions in the Proof Editor that are affected by the change. 


3.4 Constructing Finite-State Abstractions 

Temporal properties can be proved for a complex system by finding a simpler 
abstract system such that if the abstract system satisfies a related property, 
then the original concrete system satisfies the original one as well. If the 
abstract system is finite-state, its temporal properties can be established 
automatically using a model checker. We have developed methods for auto- 
matically generating finite-state abstractions of possibly infinite-state sys- 
tems, using the decision procedures in STeP [CU98, Uri98]. We describe 
some of these decision procedures in Section 3.6. 

The abstraction algorithm compositionally abstracts the transitions of 
the system, expressed as first-order relations, relative to a given, fixed set 
of assertions which define the abstract state-space. The number of validity 
checks is proportional to the size of the system description, rather than the 
size of the abstract state-space. 

Once the finite-state abstraction is generated, it can be model checked, 
explicitly or symbolically. The generated abstractions are weakly preserving 
for universal (VCTL*) temporal properties, including LTL. This means that 
validity at the abstract level implies the validity of the original property over 
the concrete system; however, if the abstract property fails, the original 
property might still hold. In this case, we say that the abstraction was 
not fine enough. An abstract counterexample can be used, manually, to 
determine if a corresponding concrete counterexample exists, or else to build 
a finer abstraction. 

3.5 Automatic Invariant Generation 

Deductive verification is usually an incremental process: simple properties 
of the system being verified are proved first and then used to help establish 
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more complex ones. STeP implements techniques for the automatic genera- 
tion of invariants, as described in [BBM97]. Invariant generation is based 
on approximate propagation, starting from the set of initial states, through 
the state-space of the system until a fixpoint is reached. Depending on the 
approximation method used, different types of invariants can be generated: 

• Local invariants result from analyzing the possible values of individual 
variables, as well as the relation between control locations and data 
values. 

• Linear invariants express linear relationships between system vari- 
ables. 

• Polyhedral invariants generalize linear invariants, expressing polyhe- 
dral constraints over sets of system variables. 

For real-time and hybrid systems STeP provides an alternative technique 
of invariant generation, also based on forward propagation of system behav- 
ior through the state space, but now starting from the entire state space 
[BMSU98]. In this case every propagation step leads to an invariant; no 
fixpoint needs to be computed. For hybrid systems these techniques have 
been further optimized to take advantage of the structure of the constraints, 
resulting in stronger invariants. In [MS98] we show an example where the 
invariants thus generated are sufficiently strong to prove the main property 
of interest. 

3.6 Decision Procedures 

The verification conditions generated in deductive verification refer to the 
domain of computation of the system being verified. To establish verifica- 
tion conditions in the most automatic and efficient manner, STeP includes 
decision procedures for a number of theories frequently used in computation 
domains, and thus common in formal verification [Bj098]. 

The basic integration of decision procedures is a variant of Shostak’s 
congruence closure-based algorithm. The version in STeP admits integra- 
tion with special relations such as ordering constraints, non-convex theories, 
and cyclic data-structures. At the top-level, an algorithm based on congru- 
ence closure propagates equality constraints through function symbols. It 
invokes the other decision procedures as auxiliary simplifiers and solvers. 
The theories supported in this way include: 
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• Partial orders. Beyond basic equality, partial orders are a more expres- 
sive constraint language to specify relations between variables. Each 
partial order constraint is represented as an edge in a graph whose 
nodes are congruence closure equivalence classes. 

• Linear and non-linear arithmetic. STeP provides Fourier’s quanti- 
fier elimination procedure to deal with formulas involving linear arith- 
metic; this procedure also extracts implied equalities. Verification con- 
ditions involving nonlinear arithmetic, which are common in the veri- 
fication of hybrid systems, are dealt with by techniques that eliminate 
first- and second-degree variables. Many verification conditions involv- 
ing arithmetical symbols are restricted to linear arithmetic, where mul- 
tiplication is only used with at most one non- numerical argument. For 
this, STeP includes Fourier’s quantifier elimination procedure, which 
also extracts implied equalities. 

• Bit-vectors. Reasoning about bit-vectors is essential for hardware ver- 
ification. STeP includes decision procedures for fixed-size bit-vectors 
with boolean bitwise operations and concatenation, and for non-fixed 
size bit- vectors with concatenation [BP98]. 

• Lists, queues, and word decision procedures. Lists and queues are com- 
mon data structures, especially in systems using abstract datatypes 
or asynchronous channels. Both lists and queues can be viewed as 
special cases of words, with concatenation being the basic operation. 
Although the known decision procedures for word equalities have pro- 
hibitive complexity, the special cases of lists and queues can be solved 
efficiently. 

• Recursive data- types. STeP supports equality reasoning for general 
recursive datatypes, which allow the specification of S-expressions and 
other tree-like structures. Enumeration types and records are treated 
as special cases of recursive datatypes. 

Co-inductive data-types, such as lazy lists, are also supported. Both 
equality constraints and subterm relationships are supported in the 
integration of decision procedures. 

• Set theory. STeP provides basic support for Multi-level Syllogistic Set- 
theory (MLSS). MLSS terms range over sets, and operations include 
union, intersection, set-difference, and finite set-enumeration. Atomic 
relations include set equality, inclusion and membership. 
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STeP uses decision procedures not only to check validity, but to simplify 
formulas as well, rewriting them to smaller, logically equivalent ones. Effi- 
cient formula simplification can make verification conditions more readable 
and manageable, and improves the efficiency of subsequent validity checking. 

Validity Checking: The above decision procedures check validity of ground 
formulas, where no first-order quantification is present. STeP extends this 
combination of ground decision procedures to include theory-specific unifi- 
cation algorithms, which find quantifier instantiations needed for first-order 
validity checking [BSU97]. 

The STeP validity checker is an extension of the Davis-Putnam-Loveland- 
Logemann propositional satisfiability checker, ft operates on formulas in 
nonclausal form, and is extended to consider quantifiers. The procedure is 
intended to preserve the original structure of the formula, including struc- 
ture sharing using let- expressions, as much as possible. Case splitting, 
instantiation, skolemization and simplification can all be performed incre- 
mentally, in a uniform setting. The procedure takes advantage of instantia- 
tions suggested by decision procedures whenever available, but can also use 
“black-box” procedures that only provide yes/no answers. 

Interactive Theorem Proving: An interactive Gentzen-style theorem 
prover is available as part of the Proof Editor to establish verification con- 
ditions that are not proved automatically. This prover features induction 
over well-founded domains, and Gentzen rules for temporal reasoning. It is 
complete for (uninterpreted) first-order logic: if the formula is valid, a proof 
for it can be found. 

The Gentzen prover builds a proof tree. Each node of the tree is as- 
sociated with a subgoal, where the root is the formula to be proved. At 
each step, a rule is applied, which reduces the validity of the current node 
to the validity of its children. At the leaves, the validity of the subgoal is 
established using the automatic decision procedures and validity checking 
procedures. 

User guidance comes in three main forms: the choice of rule to apply, 
the use of cut formulas , which are arbitrary user- provided formulas used to 
perform case analysis, and the duplication and instantiation of quantified 
formulas. 

3.7 Modular Verification 

Different components of a large system may require the application of differ- 
ent verification methodologies, depending on their specific type (real-time 
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or discrete, finite- or infinite-state). Using the notion of modular validity, 
modular properties can be established by the same set of methods as global 
properties, accounting for environment transitions. Automatic property in- 
heritance then ensures that such properties can be used as lemmas in proofs 
over composite modules. In the case of recursively defined systems, proper- 
ties can be established by structural induction. 

Many properties are not directly guaranteed by a module, but hold only 
under certain assumptions. STeP’s proof management allows assumptions 
to be used before their proof is available, checking the resulting dependency 
diagram to avoid unsound circular reasoning. Assumptions about the envi- 
ronment can be made when proving a modular property, and subsequently 
discharged when the module is composed with another. The search for ap- 
propriate assumptions can be guided by constructing verification diagrams 
for each module and attempting to prove the associated verification condi- 
tions [FMS98, MCF + 98]. 

4 Applications 

4.1 Real-time Systems 

In [BMSU97], we present a modular framework for proving temporal prop- 
erties of real-time systems, based on clocked transition systems and linear- 
time temporal logic. We show how deductive verification rules, verification 
diagrams, and automatic invariant generation can be used to establish prop- 
erties of real-time systems in this framework. We also discuss global and 
modular proofs of the branching-time property of non-Zenoness. As an 
example, we present the mechanical verification of the generalized railroad 
crossing case study using STeP. 

4.2 Fault-tolerant Systems 

In [BLM97], a parameterized fault- tolerant leader-election algorithm re- 
cently proposed is modeled and verified using STeP. Our methods settle the 
general IV-process correctness for the algorithm, which had been previously 
verified only for N = 3. We formulate the notion of Uniform Compassion 
to model progress in faulty systems more faithfully, and combine it with the 
more standard notions of fairness. We also show how the correctness proofs 
generalize to different channel models by a reduction to a simple channel 
model. 
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4.3 Hybrid Systems 

In [MS98] we present invariant generation methods for hybrid systems, and 
verify a simple hybrid water level controller using STeP. In [MCF + 98], we 
show how deductive verification tools, and the combination of finite-state 
model checking and abstraction, allow the verification of infinite-state sys- 
tems featuring data types commonly used in software specifications, includ- 
ing real-time and hybrid systems. We verify properties of the hybrid indus- 
trial steam boiler example, which is modelled as the combination of discrete 
and hybrid modules. 

4.4 Educational Use 

STeP has been used on several occasions for teaching a graduate-level in- 
troductory course on temporal verification of reactive systems, at Stanford 
University and at the Technion (Israel Institute of Technology, Haifa). 

STeP is freely available for research and educational use. The STeP 
manual is available as [BBC+95], and system descriptions are provided in 
[BBC + 96, MBB + 98]. For information on obtaining STeP, see the STeP web 
pages at: 


http : //www-step . Stanford . edu/ 
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